What Is Azure Sentinel (Renamed to Microsoft Sentinel)?

Azure Sentinel, renamed to Microsoft Sentinel, is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud. It aims to enable holistic security operations by providing collection, detection, response, and investigation capabilities.

You can use Microsoft Sentinel for security event analysis in cloud and on-premises environments. Common use cases include:

• Visualization of log data

• Anomaly detection and alerting

• Investigation of security incidents

• Proactive threat hunting

• Automated response to security events

How Microsoft Sentinel Works

Azure Sentinel, now known as Microsoft Sentinel, centralizes your threat collection, detection, response, and investigation efforts. It provides threat intelligence and intelligent security analytic capabilities that facilitate threat visibility, alert detection, threat response, and proactive hunting.

Microsoft Sentinel works according to a cycle that starts with log management, continues to schema normalization, data validation, detection and investigation, and includes automated responses to alerts. Here is how Sentinel delivers this end-to-end functionality:

• Collection—Sentinel collects data across all devices, users, applications, and infrastructure, including components located on-premises and in multiple clouds. How data is collected dictates what detections can be run against that data.

• Detection—Sentinel provides analytics and threat intelligence capability to help detect previously uncovered threats and reduce false positives. Detections are written in KQL and can be stored as code.

• Investigation—Sentinel provides artificial intelligence technology to help you hunt suspicious activities at scale. Enrichment automation and containment automation both contribute to successful SOC operations.

• Response—Sentinel allows for custom orchestration and automation for common security tasks and business integration tasks to facilitate rapid incident response between teams who use Microsoft technologies.

Learn more in our white paper: Azure Sentinel Deployment Best Practices

Microsoft Sentinel Key Components

Data Connectors

Data connectors enable Microsoft Sentinel to ingest data from various sources. In some cases, you can add a service, like Azure activity logs, by selecting a button. Other services, like syslog, may require configuration. You can find references to data source schemas in the official documentation.

Struggling to build your own connector? Read our blog about Azure Functions security (coming soon).

Sentinel provides data connectors covering common sources and scenarios, including syslog, clouds like Amazon Web Services (AWS) and Microsoft Azure, Common Event Format (CEF), and Trusted Automated eXchange of Indicator Information (TAXII). Custom applications, unique non-security logs, and physical security (OT) logs can be integrated into Microsoft Sentinel as well.

Workbooks

Sentinel lets you integrate Workbooks to monitor, measure, and control your data. Creating custom and interactive workbooks can start with a variety of templates that can view them in Sentinel. You can use built-in Sentinel workbook templates to gain insights immediately after connecting a data source. Custom workbooks can be created to help with investigation workflow, executive reporting, or to monitor for specific anomalies with WAF, for example.

Log Retention

Sentinel stores ingested data by using Log Workspaces. Logs can also be forwarded for long-term storage to ADX. Querying in Microsoft Sentinel requires knowledge of the Kusto Query Language (KQL). Here is a great tutorial from Microsoft on the basics of how to get started with KQL.'

Analytics

Analytic rules, or SIEM content, is used to correlate alerts into incidents. Analytic rules can either be scheduled queries or queries that are run on demand An incident includes a group of related alerts that together form a potential threat. Grouping alerts into groups of alerts enables you to investigate and resolve several alerts.

Sentinel provides built-in correlation rules and machine learning rules to help map the behavior of your network and detect anomalies, but will require tuning within your environment to obtain maximum value. Some rules combine low-fidelity alerts on different entities into a potential high-fidelity security incident. Customizing rules, while requiring an up front investment, can save hours of investigations of false positives.

Threat Hunting

If Microsoft 365 logs are forwarded to Sentinel, the scope of threat hunting can expand past EDR. Successful threat hunting activities may leverage specific detection content released by Microsoft, or other threat intelligence. Threat hunting involves identifying threats that have bypassed other detection controls in the environment. Security analysts performing threat hunting follow the zero trust, “assume breach” mindset, and are able to identify sophisticated threats already dwelling in the environment.

See how BlueVoyant uses threat hunting with Microsoft 365 Defender and Azure Sentinel.

Here is how you can use this feature:

• Query—Sentinel threat hunting can help you discover a query that provides high-value insights into potential attacks. You can use insights derived from your query to create your own customized detection rules. You can also surface these insights as alerts to incident responders.

• Hunt—Sentinel lets you create bookmarks for interesting events while hunting. You can return to these events later on or share the information with other collaborators. Additionally, Sentinel lets you create group events into one incident to investigate as a whole.

Incidents and Investigations

Sentinel creates an incident when an alert is triggered. Automation can also be tied to an incident firing. You can investigate these incidents using the following capabilities:

• Assignment and incident status —you can change the status of an incident or assign to specific individuals for investigation.

• Investigation functionality— Sentinel automatically maps entities across incidents along a timeline to visually investigate concurrent or multifaceted attacks.

Automation Playbooks

Sentinel provides SOAR capabilities that can aid in enrichment, containment, integration to an ITSM, or other custom automated incident response. Using Azure Logic Apps or Azure Functions, automated playbooks to reduce analyst overhead, decrease response times, or integrate workflows between security and observability.